a5e127b40d8ee4de136544f90b47723aee93def5d9e292d9976ff792052f717d

General
Target

a5e127b40d8ee4de136544f90b47723aee93def5d9e292d9976ff792052f717d

Size

1MB

Sample

220521-bqk76afcgj

Score
10 /10
MD5

80d84e12370330c4b1d40823dc1704ae

SHA1

7696664c30e80a9c60cadcdba27691a49d5cc501

SHA256

a5e127b40d8ee4de136544f90b47723aee93def5d9e292d9976ff792052f717d

SHA512

3530fce524dcb89c5bf4229d2cbb26f67b3e8443b8f21298071ca85f00e6136e6cc543ea068b68d85613e48895c76cc5d0dcfcb6c822a78c8f5b6cb0d7f705f5

Malware Config

Extracted

Family xloader
Version 2.0
Campaign rcgc
Decoy

allwinpressing.com

topographix.net

theraymondng.com

massvp.com

evchn.com

victorialouiseimagery.com

gallerysouthlosaltos.com

rackspaceupdate.com

genesprofile.com

vyscoxa.net

lishaobing.com

knottherapymassage.com

grappletoytether.net

thetastevegan.com

actionpaintservices.com

perdidoveteransdayparty.com

hotteo.com

tanngogia.com

xn--oy2b11lymexwcbzy.com

ap-lrco.com

mslbusgov.com

bidonmybeat.com

playdeja.com

scottwhit.com

mensnutramarket.com

vahesacandheating.com

bondbi.info

ladydriven.us

shoplivebetter.com

championactionplan.win

fundacaofranciscovicentini.com

bdtpost.com

healthandsleep.com

perdre-5-kilos.com

block-chain-wallet.site

strathmorefamilymedical.com

thesparklefactory.net

xiku.ink

xhtd24.com

qtracking.site

accessroyalb-tr.com

ozyurt.site

standinyourshoes.financial

hnyadl.com

arthurmanask.com

xrayvisionsensor.info

thetkinnycaffe.com

imagemore.net

coinsultancy.net

dreamsjournal.net

Targets
Target

630377.xls .scr

MD5

596b08cab4dec9f4c91112410b811c22

Filesize

535KB

Score
10/10
SHA1

c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b

SHA256

2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be

SHA512

f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation